Please enable JavaScript.
Coggle requires JavaScript to display documents.
DBMS (DBMS controls & security (DBMS Securiy (Database security refers…
DBMS
DBMS Securiy
Database security refers to DBMS features and other related measures that comply with the organization’s security requirements
Security measures should be implemented to protect the DBMS against service degradation and to protect the database against data loss, corruption or mishandling.
The DBA (database administrator) should secure the DBMS from the point of installation through operation and maintenance.
:check:Changing default system passwords
:check:Securing installation folders with proper access right
:check:Changing default installation paths
:check:Making sure that only required services are running
:check:Applying latest patches
:check:Setting up auditing logs
DBMS Controls
Controls over database management systems fall into two general categories mainly access controls and backup controls.
Access controls are designed to prevent unauthorized individuals from viewing, retrieving, corrupting or destroying the entity’s data.
Backup controls ensure that in the event of data loss due to unauthorized access, equipment failure or physical disaster, the organization can still recover the database.
User Views
The DBA is in charge of user view design and must work closely with all users and system designers in this task.
Permission to access the database must reflect the users’ legitimate needs and requirements.
-
User Defined Procedures
User defined procedures allow users to create a personal security program or routine to provide more positive user identification that a single password.
For example, adding a security question like (mother’s name, pet name) in addition to the password.
Data Encryption
Encryption is used to protect data that is transmitted over communication lines.Database systems also use encryption procedures to protect highly sensitive stored data, such as product formulas, password files and financial data, totally blocking access from the intruder
The auditor should verify that SENSITIVE DATA, such as passwords, are properly encrypted. Printing the file contents to hard copy can do this.
Biometric Devices
User authentication procedures such as biometric devices measure various personal characteristics such as fingerprint, voice detection, retina prints and other signature characteristics.
The auditor should evaluate the COST & BENEFITS of biometric controls. These would be most appropriate where highly sensitive data are accessed by a very limited number of users.
Inference Control
To preserve confidentiality and integrity of database and to prevent users from inferring, through query features, specific data values that can be of unauthorized access
The auditor should verify that DATABASE QUERY CONTROLS exist to prevent unauthorized access via inference. The auditor can test controls by simulating access by a sample of users & attempting to retrieve unauthorized data via inference queries.
DBMS is a special software system that is programmed to know which data elements each user is authorized to access.
The user’s program sends requests for data to the DBMS, which validates and authorizes access to the database in accordance with user’s level of authority.
DBMS centralizes the organization’s data into a common database that is shared by other user.
Elimination of Data Storage Problem - Each data element is stored only once, thereby eliminating data redundancy and reducing data collection and storage costs
Elimination of Data Update Problem - Because each data element exists in only one place, it requires only a single update procedure. This reduces the time and cost of keeping the database current.
Elimination of Currency Problem - A single change to a database attribute is automatically made available to all users of the attribute
Elimination of Task - Data Dependency Problem-The most striking difference between the database model and the flat-file model is the pooling of data into a common database that is shared by all organizational users. With access to the full domain of entity data, changes in user information needs can be satisfied without obtaining additional private data sets.
- IS standards & guidelines on auditing DBMS
Attribute Standards - These address the attribute of organizations and individuals performing internal audit services and apply to all internal audit services.
Performance Standards - Describe the nature of internal audit services provided.
Provide quality criteria against which the performance of these services can be measured.
Implementation Standards - Prescribe Standard applicable to specific types of engagements in a variety of industries as well as specialist areas of services delivery.
ISACA Code of Professional Ethics for IS Auditors- IS Auditors of the minimum level of acceptable performance required to meet the professional responsibilities.
Holders of the Certified Information Systems Auditor (CISA) designation of requirements. Failure to comply with these standards may results in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate ISACA committee.
- Audit procedures for DBMS
-
-
-